; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options ; ************************************************************************** ; * Global options * ; ************************************************************************** ; A copy of some devices and system files is needed within the chroot jail ; Chroot conflicts with configuration file reload and many other features chroot = /var/run/stunnel/ ; Chroot jail can be escaped if setuid option is not used setuid = nobody setgid = nobody ; PID is created inside the chroot jail pid = /stunnel.pid ; Debugging stuff (may useful for troubleshooting) ;debug = 7 ;output = stunnel.log ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; ************************************************************************** ; Certificate/key is needed in server mode and optional in client mode cert = /etc/stunnel/mail.pem ;key = /etc/stunnel/mail.pem ; Authentication stuff needs to be configured to prevent MITM attacks ; It is not enabled by default! ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ;CAfile = /etc/pki/tls/certs/ca-bundle.crt ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively CRLfile can be used ;CRLfile = /etc/stunnel/crls.pem ; Disable support for insecure SSLv2 protocol options = NO_SSLv2 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** ; Example SSL server mode services [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 ; Example SSL client mode services ;[gmail-pop3] ;client = yes ;accept = 127.0.0.1:110 ;connect = pop.gmail.com:995 ;[gmail-imap] ;client = yes ;accept = 127.0.0.1:143 ;connect = imap.gmail.com:993 ;[gmail-smtp] ;client = yes ;accept = 127.0.0.1:25 ;connect = smtp.gmail.com:465 ; Example SSL front-end to a web server ;[https] ;accept = 443 ;connect = 80 ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL ; Microsoft implementations do not use SSL close-notify alert and thus ; they are vulnerable to truncation attacks ;TIMEOUTclose = 0 ; vim:ft=dosini